CVE-2025-68508

Brave <= 0.8.3 - Missing Authorization

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
0.8.4
Patched in
14d
Time to patch

Description

The Brave – Create Popup, Optins, Lead Generation, Survey, Sticky Elements & Interactive Content plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on a function in all versions up to, and including, 0.8.3. This makes it possible for unauthenticated attackers to perform an unauthorized action.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
None
Confidentiality
Low
Integrity
None
Availability

Technical Details

Affected versions<=0.8.3
PublishedDecember 23, 2025
Last updatedJanuary 5, 2026
Affected pluginbrave-popup-builder

Source Code

WordPress.org SVN
Research Plan
Unverified

# Exploitation Research Plan - CVE-2025-68508 (Brave Popup Builder) ## 1. Vulnerability Summary The **Brave Popup Builder** plugin for WordPress (versions <= 0.8.3) contains a missing authorization vulnerability within its AJAX handling logic. Specifically, the function responsible for updating a p…

Show full research plan

Exploitation Research Plan - CVE-2025-68508 (Brave Popup Builder)

1. Vulnerability Summary

The Brave Popup Builder plugin for WordPress (versions <= 0.8.3) contains a missing authorization vulnerability within its AJAX handling logic. Specifically, the function responsible for updating a popup's status (brave_popup_update_status) is registered to both wp_ajax_ and wp_ajax_nopriv_ hooks but fails to perform a capability check (e.g., current_user_can('manage_options')). This allows unauthenticated attackers to enable or disable any popup on the site, provided they can obtain a valid security nonce.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: brave_popup_update_status
  • HTTP Method: POST
  • Authentication: None required (unauthenticated via wp_ajax_nopriv_)
  • Required Parameters:
    • action: brave_popup_update_status
    • nonce: A valid nonce for the brave_popup_builder_nonce action.
    • id: The integer ID of the target popup (post type brave_popup).
    • status: The desired status (0 for disabled/inactive, 1 for enabled/active).

3. Code Flow (Inferred)

  1. Entry Point: The request hits admin-ajax.php with action=brave_popup_update_status.
  2. Hook Trigger: Since the action is registered via add_action('wp_ajax_nopriv_brave_popup_update_status', ...), WordPress routes the request to the handler function even for unauthenticated users.
  3. Nonce Verification: The handler calls check_ajax_referer('brave_popup_builder_nonce', 'nonce').
  4. Missing Check: The code proceeds to update the status without checking the user's roles or capabilities.
  5. Sink: The function updates the brave_popup_status meta field or the post_status for the given ID:
    update_post_meta( $popup_id, 'brave_popup_status', $new_status );

4. Nonce Acquisition Strategy

The plugin enqueues a script that localizes the required nonce for frontend interactions.

  1. Shortcode/Trigger: The plugin's scripts are typically enqueued on pages where a popup is active.
  2. Setup: Create a test popup and publish it to ensure the scripts are loaded on the frontend.
  3. Extraction:
    • Navigate to the homepage or a page containing a popup.
    • Use browser_eval to extract the nonce from the localized JavaScript object.
    • JS Variable: window.brave_globals or window.brave_popup_data (check both).
    • Nonce Key: nonce.
    • Code: browser_eval("window.brave_globals?.nonce || window.brave_popup_data?.nonce")

5. Exploitation Strategy

Step 1: Create Test Data

Create a published popup to target.

# 1. Create the popup post
POPUP_ID=$(wp post create --post_type=brave_popup --post_title="Vulnerable Popup" --post_status=publish --porcelain)

# 2. Set the initial status to 1 (Enabled)
wp post meta update $POPUP_ID brave_popup_status 1

Step 2: Extract Nonce

Navigate to the frontend and retrieve the brave_popup_builder_nonce.

  • Tool: browser_navigate to http://localhost:8080/
  • Tool: browser_eval using the script identified in Section 4.

Step 3: Execute Unauthorized Status Change

Send a POST request to disable the popup.

  • URL: http://localhost:8080/wp-admin/admin-ajax.php
  • Headers: Content-Type: application/x-www-form-urlencoded
  • Body: action=brave_popup_update_status&nonce=[NONCE]&id=[POPUP_ID]&status=0

6. Test Data Setup

  • Plugin: Brave Popup Builder <= 0.8.3 installed and active.
  • Content: At least one post of type brave_popup with brave_popup_status set to 1.
  • Visibility: Ensure the popup is "published" so its assets/nonces are rendered on the frontend.

7. Expected Results

  • Response: The server should return a success code (e.g., 1, true, or a JSON success message).
  • Impact: The popup's metadata in the database is changed, causing it to disappear from the frontend or show as "Inactive" in the admin dashboard.

8. Verification Steps

After the HTTP request, verify the change using WP-CLI:

# Check the value of the 'brave_popup_status' meta key
wp post meta get [POPUP_ID] brave_popup_status
# Expected value: 0

9. Alternative Approaches

If brave_popup_update_status is not the exact action name, search the plugin source for other nopriv registrations:

grep -r "wp_ajax_nopriv_" wp-content/plugins/brave-popup-builder/

Check for:

  • brave_toggle_popup
  • brave_save_popup_settings
  • brave_update_status

If the nonce is not in brave_globals, check the page source for any JSON blob containing "nonce":".

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.